Merge pull request #67 from OWASP/Shruti-s-kulkarni-patch-3

Update 01-secure-environment.md

Author: jgadsden

.wordlist.txt

@@ -260,6 +260,8 @@ OWTF
 WebGoat
 px
 ToC
+XML
+weightage
 Okta
 DNS
 WAF

draft/06-secure-design/02-secure-coding.md

@@ -203,7 +203,7 @@ order: 602
       Many technologies now come with data access layers that support input data validation.
       These layers are usually in the form of a library or a package. Ensure to add
       these libraries  / dependencies / packages to the project file such that they are not missed out.
-  * Use a security vetted library for input data validation. Try not to use hard coded whitelist of characters.
+  * Use a security vetted library for input data validation. Try not to use hard coded allow-list of characters.
       Validate all data from a centralised function / routine.
       In order to add a variable to a HTML context safely, use HTML entity encoding
       for that variable as you add it to a web template.

draft/06-secure-design/05-content-security-policy.md

@@ -13,13 +13,14 @@ order: 605
 
 ### 6.5 Content Security policy
 
-Content Security Policy (CSP) helps in whitelisting the sources that are allowed to be executed by clients.
+Content Security Policy (CSP) helps in allow-listing the sources that are allowed to be executed by clients.
 
 To this effect CSP helps in addressing vulnerabilities that are the target of scripts getting executed
 from different domains (namely XSS, ClickJacking)  
 
 1. The policy elements listed below is restrictive.
-    Third party libraries can be whitelisted as a part of `script-src`, `default-src`, `frame-src` or `frame-ancestors`.
+    Third party libraries can be allow-listed as a part of `script-src`, `default-src`, `frame-src`
+    or `frame-ancestors`.
 
 2. I assume fonts / images / media / plugins are not loaded from any external sources.
 
@@ -89,7 +90,7 @@ For display on other mobile devices that use HTML5: `meta http-equiv="Content-Se
 
 #### iOS
 
-iOS framework has capability to restrict connecting to sites that are not a part of the whitelist on the application,
+iOS framework has capability to restrict connecting to sites that are not a part of the allow-list on the application,
 which is the `NSExceptionDomains`. Use this setting to restrict the content that gets executed by the application
 
 ```text

draft/06-secure-design/07-file-management.md

@@ -39,7 +39,7 @@ order: 607
 * Implement safe uploading in UNIX by mounting the targeted file directory as a logical drive
     using the associated path or the chrooted environment
 
-* When referencing existing files, use a white list of allowed file names and types.
+* When referencing existing files, use an allow list of allowed file names and types.
     Validate the value of the parameter being passed and if it does not match one of the expected values,
     either reject it or use a hard coded default file value for the content instead
 

draft/09-secure-environment/01-secure-environment.md

@@ -3,7 +3,7 @@
 title: Secure Environment Introduction
 layout: col-document
 tags: OWASP Developer Guide
-contributors:
+contributors:Shruti Kulkarni
 document: OWASP Developer Guide
 order: 901
 
@@ -23,4 +23,53 @@ and submit your content for review.
 
 [contribute]: https://github.com/OWASP/www-project-developer-guide/blob/main/contributing.md
 
+* The WEB-INF directory tree contains web application classes, pre-compiled JSP files, server side libraries,
+    session information, and files such as `web.xml` and `webapp.properties`.
+    So be sure the code base is identical to production.
+    Ensuring that we have a “secure code environment” is also an important part of
+    an application secure code inspection.
+  
+* Use a “deny all” rule to deny access and then grant access on need basis.
+  
+* In Apache HTTP server, ensure directories like WEB-INF and META-INF are protected.
+    If permissions for a directory and subdirectories are specified in `.htaccess` file,
+    ensure that it is protected using the “deny all” rule.
+  
+* While using Struts framework, ensure that JSP files are not accessible directly
+    by denying access to `*.jsp` files in `web.xml`.
+  
+* Maintain a clean environment. remove files that contain source code but are not used by the application.
+  
+* Ensure production environment does not contain any source code / development tools
+    and that the production environment contains only compiled code / executables.
+  
+* Remove test code / debug code (that might contain backdoors).
+    Commented code can also be removed as at times, it might contain sensitive data. Remove file metadata e.g., .git
+  
+* Set “Deny All” in security constraints (for the roles being set up)
+    while setting up the application on the web server.
+  
+* The listing of HTTP methods in security constraints works in a similar way to deny-listing.
+    Any verb not explicitly listed is allowed for execution. Hence use “Deny All”
+    and then allow the methods for the required roles.
+    This setting carries weightage while using “Anonymous User” role.
+    For example, in Java, remove all <http-method> elements from `web.xml` files.
+  
+* Configure web and application server to disallow HEAD requests entirely.
+  
+* Comments on code and Meta tags pertaining to the IDE used or technology used to develop the application
+    should be removed. Some comments can divulge important information regarding bugs in code
+    or pointers to functionality. This is particularly important with server side code such as JSP and ASP files.
+  
+* Search for any calls to the underlying operating system or file open calls and examine the error possibilities.
+  
+* Remove unused dependencies, unnecessary features, components, files, and documentation.
+  
+* Only obtain components from official sources over secure links.
+    Prefer signed packages to reduce the chance of including a modified, malicious component
+  
+* Monitor for libraries and components that are unmaintained or do not create security patches for older versions.
+    If patching is not possible, consider deploying a virtual patch to monitor, detect,
+    or protect against the discovered issue.
+
 \newpage

draft/09-secure-environment/02-system-hardening.md

@@ -30,7 +30,7 @@ order: 902
       Remove file metadata (e.g. `.git`)
   * Set “Deny All” in security constraints (for the roles being set up)
       while setting up the application on the web server.
-  * The listing of HTTP methods in security constraints works in a similar way to blacklisting.
+  * The listing of HTTP methods in security constraints works in a similar way to deny-listing.
       Any verb not explicitly listed is allowed for execution.
       Hence use “Deny All” and then allow the methods for the required roles.
       This setting is particularly important using “Anonymous User” role.